Skip to content

Nessus

Task 1 Introduction

Nessus is a vulnerability scanner with free and paid versions and a GUI to operate the tool.

No answer needed

Task 2 Installation

First I downloaded a copy of the Nessus Installer from https://www.tenable.com/downloads/. You will need to find the right copy for your system. For the purposes of this write-up I am installing on a Windows system but Nessus is available for Windows, Mac OS, and several distributions of Linux, as well as Raspberry Pi.

First click the link for the appropriate version you need.

Then read and accept the License Agreement. Once it finishes downloading, run the installer and walk through the install steps.

Choose an install location then click Install. Allow the program some time to complete.

When the installation finishes, Nessus should open a new page in your browser for the Nessus web interface. If this does not happen, go to https://localhost:8834/#/ in your browser.

Once in the web interface, click Connect via SSL. My browser, Firefox, detected the next page as possibly dangerous so it asked for permission to proceed. If this happens to you as well, click Advanced... then Accept the Risk and Continue. This happens as a result of Nessus using a security certificate that the web browser does not recognize.

Next, click the Nessus Essentials bullet from the list, then Continue to move on with the installation.

Nessus will require you submit a name and email to receive an activation code. Copy/paste the code you receive in the email to the Activation Code field on the next page. Once this is complete, Nessus will ask you to register a username and password for an account.

Nessus will begin installing necessary components after the user registration is complete. This install will take a few minutes so now may be a good time to take a quick break.

After the plugins install, you will be greeted with a Nessus welcome screen. For now just click Close to exit this window.

The home screen will look fairly empty but if you get this screen it means you have successfully downloaded Nessus.

Task 3 Navigation and Scans

What is the name of the button which is used to launch a scan?

To begin a Nessus scan click the + New Scan button in the top right corner of the Nessus Web Application.

New Scan

What side menu option allows us to create custom templates?

The Policies selection on the left sidebar under the Resources header will allow you to create custom templates.

Policies

What menu allows us to change plugin properties such as hiding them or changing their severity?

To change plugin properties, select Plugin Rules on the left sidebar.

Plugin Rules

In the ‘Scan Templates‘ section after clicking on ‘New Scan‘, what scan allows us to see simply what hosts are alive?

In the New Scan menu there are several different options. To find active hosts select the Host Discovery option.

Host Discovery

One of the most useful scan types, which is considered to be ‘suitable for any host‘?

The type of scan suitable for any host is Basic Network Scan

Basic Network Scan

What scan allows you to ‘Authenticate to hosts and enumerate missing updates‘?

Credentialed Patch Audit

What scan is specifically used for scanning Web Applications?

Web Application Tests

Task 4 Scanning!

Create a new ‘Basic Network Scan‘ targeting the deployed VM. What option can we set under ‘BASIC‘ (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.

To create a scan that runs on a set time, start a new Basic Network Scan then select Schedule on the left bar under the Basic submenu. In the Schedule configuration select the Enabled toggle switch. This will enable scheduling and allow you to select a time and frequency. Note, the free version of Nessus will only allow one schedule at a time. For more you will need to upgrade to Nessus Professional.

Schedule

Under ‘DISCOVERY‘ (on the left) set the ‘Scan Type‘ to cover ports 1-65535. What is this type called?

To scan all 65535 ports on the host, select Discovery from the left side menu. Then in the Scan Type dropdown select Port scan (all ports)

Port scan (all ports)

What ‘Scan Type’┬ácan we change to under ‘ADVANCED‘ for lower bandwidth connection?

For a lower bandwidth connection, select Advanced from the left sidebar, then in Scan Type select Scan low bandwidth links from the dropdown menu.

Scan low bandwidth links

Remember to set the Targets option to include the IP address of the TryHackMe virtual machine., in the Basic > General menu and give the scan a name. .

With these options set,  launch the scan. 

No answer needed

To view the results of the scan selet the Vulnerabilities tab at the top. It may take a while for the scan to complete. My scan is still going at 20 minutes later but gave enough information to continue answering the question. Results may vary.

After the scan completes, which ‘Vulnerability‘ in the ‘Port scanners‘ family can we view the details of to see the open ports on this host?

To view open ports found by the scan, click the Nessus SYN scanner from the list of vulnerabilities.

Nessus SYN scanner

What Apache HTTP Server Version is reported by Nessus?

To find the web server version in use, select Apache HTTP Server Version from the Vulnerabilities list. This shows the VM is running Apache version 2.4.99.

2.4.99

Task 5 Scanning a Web Application!

The previous task indicated there is a webserver running on the target machine on port 80. To run a scan of this web application, start a new scan from the home menu and select Web Application Tests.

In the New Scan menu, give the scan a name, identify the target IP address, click the arrow to the right of the Save button then click Launch, to begin the web app scan. Allow this scan a few minutes to run before attempting the following questions.

What is the plugin id of the plugin that determines the HTTP server type and version?

To find the plugin ID select the HTTP Server Type and Version vulnerability from the list. This may be inside the HTTP (Multiple Issues) Vunerability header.

10107

What authentication page is discovered by the scanner that transmits credentials in cleartext?

First click on the Web Server (Multiple Issues). Then click on Web Server Transmits Cleartext Credentials.

In this section you can find the webpage that transmits login credentials in cleartext.

login.php

What is the file extension of the config backup?

To find the config backup information, click on Backup Files Disclosure and look at the File line in the Output section.

.bak

Which directory contains example documents? (This will be in a php directory)

The directory containing the example documents can be found by selecting Browsable Web Directories in the Vulnerabilities list. Look for the line http://10.10.23.155/external/phpids/0.6/docs/examples/

/external/phpids/0.6/docs/examples/

What vulnerability is this application susceptible to that is associated with X-Frame-Options?

The vulnerability associated with X-Frame-Options is Clickjacking. This can be found by clicking the Web Application Potentially Vulnerable to Clickjacking and reading more about the vulnerability. The first line of the description explains that the web server does not set an X-Frame-Options response header which could leave the server vulnerable to Clickjacking.

Clickjacking

Leave a Reply

Your email address will not be published. Required fields are marked *